Monday, September 9, 2019

Lagtime” Chinese APT Campaign

In July 2019, Proofpoint reported a new malware campaign named, “Operation Lagtime IT.” The campaign is targeting government agencies in East Asia and leveraging malicious RTF documents to deliver multiple payloads, including a new custom malware payload dubbed, “Cotx RAT.” 

To read the full article in our portal, and find an archive of related reporting, follow this link to - https://redskyalliance.org

Wapack Labs Keylogger Blacklist

TLP AMBER ANNOUNCEMENT:
Compromised Email Accounts
Reporting Period: September 9, 2019 

On 9 September 2019, Wapack Labs identified 18 unique email accounts compromised with keyloggers and used to log into mostly personal accounts and organizations. Attackers may be able to access not only email addresses but also financial, social media and other data.

Contact Wapack Labs for more information:
603-606-1246, or feedback@wapacklabs.com 

Action recommendation: Users should immediately place each of these email accounts in a block status in intrusion prevention systems. 

Wapack Labs Sinkhole Blacklist

TLP AMBER ANNOUNCEMENT:   
Reporting Period: September 9, 2019

Wapack Labs identified connections from 124,716 new unique IP addresses, which are checking in with one of the many Wapack Labs sinkhole domains.

Contact Wapack Labs for more information:
603-606-1246, or feedback@wapacklabs.com
Action recommendation: Users should immediately place each of these IP addresses in a monitor or block status in intrusion prevention systems. 

Monday, August 26, 2019

Cryxos Trojan Malware Uptick

Hackers can program Trojans like Cryxos to accomplish pretty much anything they want. In August 2019, Wapack Labs observed a significant uptick in malicious emails delivering a malware identified as Cryxos.  The observed malware is currently being delivered to users in Brazil, however, thousands of related specimens were observed on Virus Total indicating a widespread campaign affecting multiple countries.

To read the full article in our portal, and find an archive of related reporting, follow this link to - https://redskyalliance.org/finished-analysis/cryxos-variant

Wapack Labs Sinkhole Blacklist

TLP AMBER ANNOUNCEMENT:   
Reporting Period: August 26, 2019

Wapack Labs identified connections from 63,336 new unique IP addresses, which are checking in with one of the many Wapack Labs sinkhole domains.

Contact Wapack Labs for more information:
603-606-1246, or feedback@wapacklabs.com
Action recommendation: Users should immediately place each of these IP addresses in a monitor or block status in intrusion prevention systems. 

Wapack Labs Keylogger Blacklist

TLP AMBER ANNOUNCEMENT:
Compromised Email Accounts
Reporting Period: August 26, 2019 

On 26 August 2019, Wapack Labs identified 14 unique email accounts compromised with keyloggers and used to log into mostly personal accounts and organizations. Attackers may be able to access not only email addresses but also financial, social media and other data.

Contact Wapack Labs for more information:
603-606-1246, or feedback@wapacklabs.com 

Action recommendation: Users should immediately place each of these email accounts in a block status in intrusion prevention systems. 

Thursday, August 22, 2019

Wapack Labs Sinkhole Blacklist

TLP AMBER ANNOUNCEMENT:   
Reporting Period: August 19, 2019

Wapack Labs identified connections from 29,051 new unique IP addresses, which are checking in with one of the many Wapack Labs sinkhole domains.

Contact Wapack Labs for more information:
603-606-1246, or feedback@wapacklabs.com
Action recommendation: Users should immediately place each of these IP addresses in a monitor or block status in intrusion prevention systems. 

Wapack Labs Keylogger Blacklist

TLP AMBER ANNOUNCEMENT:
Compromised Email Accounts
Reporting Period: August 19, 2019 

On 19 August 2019, Wapack Labs identified 102 unique email accounts compromised with keyloggers and used to log into mostly personal accounts and organizations. Attackers may be able to access not only email addresses but also financial, social media and other data.

Contact Wapack Labs for more information:
603-606-1246, or feedback@wapacklabs.com 

Action recommendation: Users should immediately place each of these email accounts in a block status in intrusion prevention systems. 

Monday, August 12, 2019

Wapack Labs Keylogger Blacklist

TLP AMBER ANNOUNCEMENT:
Compromised Email Accounts
Reporting Period: August 12, 2019 

On 12 August 2019, Wapack Labs identified 32 unique email accounts compromised with keyloggers and used to log into mostly personal accounts and organizations. Attackers may be able to access not only email addresses but also financial, social media and other data.

Contact Wapack Labs for more information:
603-606-1246, or feedback@wapacklabs.com 

Action recommendation: Users should immediately place each of these email accounts in a block status in intrusion prevention systems. 

Wapack Labs Sinkhole Blacklist

TLP AMBER ANNOUNCEMENT:   
Reporting Period: August 12, 2019

Wapack Labs identified connections from 77,164 new unique IP addresses, which are checking in with one of the many Wapack Labs sinkhole domains.

Contact Wapack Labs for more information:
603-606-1246, or feedback@wapacklabs.com
Action recommendation: Users should immediately place each of these IP addresses in a monitor or block status in intrusion prevention systems. 

Friday, August 9, 2019

Health Center Gets Hit With Ransomware, Twice!

In April 2019, Park Duvalle Community Health Center (PDCHC), located in Louisville, KY was targeted with an unspecified variant of ransomware. It took PDCHC three weeks to restore their files from their back up and make the network fully functional. On June 7, 2019, PDCHC was hit again with ransomware, attackers requested a payment of approximately $70,000 worth of Bitcoin.

To read the full article in our portal, and find an archive of related reporting, follow this link to - https://redskyalliance.org/healthcare/

Wapack Labs Sinkhole Blacklist

TLP AMBER ANNOUNCEMENT:   
Reporting Period: August 5, 2019

Wapack Labs identified connections from 40,141 new unique IP addresses, which are checking in with one of the many Wapack Labs sinkhole domains.

Contact Wapack Labs for more information:
603-606-1246, or feedback@wapacklabs.com
Action recommendation: Users should immediately place each of these IP addresses in a monitor or block status in intrusion prevention systems. 

Wapack Labs Keylogger Blacklist

TLP AMBER ANNOUNCEMENT:
Compromised Email Accounts
Reporting Period: August 5, 2019 

On 5 August 2019, Wapack Labs identified 4,079 unique email accounts compromised with keyloggers and used to log into mostly personal accounts and organizations. Attackers may be able to access not only email addresses but also financial, social media and other data.

Contact Wapack Labs for more information:
603-606-1246, or feedback@wapacklabs.com 

Action recommendation: Users should immediately place each of these email accounts in a block status in intrusion prevention systems. 

Thursday, August 8, 2019

Wapack Labs REDXRAY Threat Report (1 companies with new threats)

Banks and Credit Unions

REDXRAY Threat Report

All hits in this notification should be investigated by an analyst before being actioned or blocked. For more information, please contact Wapack Labs at 888-733-9729.

People's United Financial

Botnet Tracker - 0 Breach Data - 2 Keylogger Records - 0 Malicious Emails - 0 Malicious Emails Context- 0 Malicious Email Detections- 0 Pastebin - 0 Sinkhole Traffic - 0 ThreatRecon Records - 0

Bank of New England: No new indicators for this company in the past 24 hours.

Bank of New Hampshire: No new indicators for this company in the past 24 hours.

Bellwether Community Credit Union: No new indicators for this company in the past 24 hours.

Cambridge Trust Company of New Hampshire, Inc.: No new indicators for this company in the past 24 hours.

Charter Trust Company: No new indicators for this company in the past 24 hours.

Claremont Savings Bank: No new indicators for this company in the past 24 hours.

Deutsche AM Trust Company: No new indicators for this company in the past 24 hours.

Exeter Trust Company: No new indicators for this company in the past 24 hours.

Franklin Savings Bank: No new indicators for this company in the past 24 hours.

Granite Bank: No new indicators for this company in the past 24 hours.

Granite State Credit Union: No new indicators for this company in the past 24 hours.

Hemenway Trust Company LLC: No new indicators for this company in the past 24 hours.

Holy Rosary Regional Credit Union: No new indicators for this company in the past 24 hours.

Members First Credit Union of New Hampshire: No new indicators for this company in the past 24 hours.

Meredith Village Savings Bank: No new indicators for this company in the past 24 hours.

Merrimack County Savings Bank: No new indicators for this company in the past 24 hours.

New Hampshire Postal Credit Union: No new indicators for this company in the past 24 hours.

New Hampshire Trust Company: No new indicators for this company in the past 24 hours.

Newport Trust Company: No new indicators for this company in the past 24 hours.

Northeast Credit Union: No new indicators for this company in the past 24 hours.

Northern Trust Corp.: No new indicators for this company in the past 24 hours.

Northway Bank: No new indicators for this company in the past 24 hours.

Peoples Bank: No new indicators for this company in the past 24 hours.

Perspecta Trust LLC: No new indicators for this company in the past 24 hours.

Piscataqua Savings Bank: No new indicators for this company in the past 24 hours.

Primary Bank: No new indicators for this company in the past 24 hours.

Profile Bank: No new indicators for this company in the past 24 hours.

Salem Cooperative Bank: No new indicators for this company in the past 24 hours.

Savings Bank of Walpole: No new indicators for this company in the past 24 hours.

Service Credit Union: No new indicators for this company in the past 24 hours.

St. Mary's Bank: No new indicators for this company in the past 24 hours.

Sugar River Bank: No new indicators for this company in the past 24 hours.

Triangle Credit Union: No new indicators for this company in the past 24 hours.

VantageTrust Company, LLC: No new indicators for this company in the past 24 hours.

Woodsville Guaranty Savings Bank: No new indicators for this company in the past 24 hours.


Botnet_tracker

If your IP address is found in botnet tracker, it means that it was seen in a communication with a malicious endpoint. This does not automatically indicate a malware infection as there are a number of reasons why two IP addresses might communicate. The traffic should first be inspected before escalating to incident responders.

Keylogger

A keylogger hit means your domain or IP address appeared in a keylogger output file. This would mean one of the following things: 1) A keylogger malware is running on your network. 2) A username and password belonging to an employee was captured by a keylogger. 3) An email address was observed in clipboard data on an infected computer. For example somebody cut and paste an email address belonging to your organization. The raw source data must first be investigated to determine course of action.

Malicious Emails

If your domain or IP address shows up in this collection, it means it was observed in the header of an email that has been identified as malicious (1 or more AV detection). The raw email should be inspected to see whether it was sent to or from your organization, or if it was spoofed using your organizations data. It should be noted that some AV vendors classify emails as malicious when they are actually benign. All malicious emails hits only indicate targeting, not malware infections.

Pastebin

A pastebin hit simply means your information was observed in a paste on pastebin.com. There are numerous reasons information would be contained in a paste – some malicious and some benign. Each pastebin hit must be individually analyzed to determine context.

Sinkhole data

A sinkhole hit means your IP was observed in weblogs from our sinkhole server. Similar to the botnet_tracker hits, it only means that communication was observed. The nature of that communication needs to be determined from the raw sinkhole record. If the sinkhole hit is a result of a malware infection, then the information should be referred to incident responders.

Breach Data

Breach data hits are from public database leaks. Depending on the nature of the leaked database, exposed information may vary from just email addresses, to username and password combinations and other personally identifiable information. RedXray contains the raw breach data so you can easily see what type of data has been exposed. If the breach data contains passwords then Wapack Labs recommends enforcing a password reset and investigating whether there has been unauthorized access of the account.

Threat Recon

Threat recon consists of both primary sourced indicators and open sourced indicators from dozens of sources. Each hit from this collection should be individually analyzed as each source has different context. Threat recon records contain references to the original source.

Wapack Labs REDXRAY Threat Report (21 companies with new threats)

National Defense Transportation

REDXRAY Threat Report

All hits in this notification should be investigated by an analyst before being actioned or blocked. For more information, please contact Wapack Labs at 888-733-9729.

Abraham LLC

Botnet Tracker - 0 Breach Data - 5384 Keylogger Records - 0 Malicious Emails - 0 Malicious Emails Context- 0 Malicious Email Detections- 0 Pastebin - 0 Sinkhole Traffic - 0 ThreatRecon Records - 0

Accenture

Botnet Tracker - 0 Breach Data - 12 Keylogger Records - 0 Malicious Emails - 0 Malicious Emails Context- 0 Malicious Email Detections- 0 Pastebin - 0 Sinkhole Traffic - 0 ThreatRecon Records - 0

Aegis Strategies LLC

Botnet Tracker - 0 Breach Data - 214850 Keylogger Records - 0 Malicious Emails - 0 Malicious Emails Context- 0 Malicious Email Detections- 0 Pastebin - 0 Sinkhole Traffic - 0 ThreatRecon Records - 0

Agency & NW Regional President

Botnet Tracker - 0 Breach Data - 26 Keylogger Records - 0 Malicious Emails - 0 Malicious Emails Context- 0 Malicious Email Detections- 0 Pastebin - 0 Sinkhole Traffic - 0 ThreatRecon Records - 0

Crane Worldwide Logistics

Botnet Tracker - 0 Breach Data - 4 Keylogger Records - 0 Malicious Emails - 0 Malicious Emails Context- 0 Malicious Email Detections- 0 Pastebin - 0 Sinkhole Traffic - 0 ThreatRecon Records - 0

DHL Global Forwarding

Botnet Tracker - 0 Breach Data - 10 Keylogger Records - 0 Malicious Emails - 0 Malicious Emails Context- 0 Malicious Email Detections- 0 Pastebin - 0 Sinkhole Traffic - 0 ThreatRecon Records - 0

HQ USTRANSCOM/J4-LT

Botnet Tracker - 0 Breach Data - 1470 Keylogger Records - 0 Malicious Emails - 0 Malicious Emails Context- 0 Malicious Email Detections- 0 Pastebin - 0 Sinkhole Traffic - 0 ThreatRecon Records - 0

Military Sealift Command

Botnet Tracker - 0 Breach Data - 16 Keylogger Records - 0 Malicious Emails - 0 Malicious Emails Context- 0 Malicious Email Detections- 0 Pastebin - 0 Sinkhole Traffic - 0 ThreatRecon Records - 0

Oracle

Botnet Tracker - 0 Breach Data - 26 Keylogger Records - 0 Malicious Emails - 0 Malicious Emails Context- 0 Malicious Email Detections- 0 Pastebin - 0 Sinkhole Traffic - 0 ThreatRecon Records - 0

PricewaterhouseCooper

Botnet Tracker - 0 Breach Data - 20 Keylogger Records - 0 Malicious Emails - 0 Malicious Emails Context- 0 Malicious Email Detections- 0 Pastebin - 0 Sinkhole Traffic - 0 ThreatRecon Records - 0

Radiant Global Logistics

Botnet Tracker - 0 Breach Data - 10892 Keylogger Records - 0 Malicious Emails - 0 Malicious Emails Context- 0 Malicious Email Detections- 0 Pastebin - 208 Sinkhole Traffic - 0 ThreatRecon Records - 0

State Department

Botnet Tracker - 0 Breach Data - 4 Keylogger Records - 0 Malicious Emails - 0 Malicious Emails Context- 0 Malicious Email Detections- 0 Pastebin - 0 Sinkhole Traffic - 0 ThreatRecon Records - 0

The Boeing Company

Botnet Tracker - 0 Breach Data - 16 Keylogger Records - 0 Malicious Emails - 0 Malicious Emails Context- 0 Malicious Email Detections- 0 Pastebin - 0 Sinkhole Traffic - 0 ThreatRecon Records - 0

USTRANSCOM

Botnet Tracker - 0 Breach Data - 574 Keylogger Records - 0 Malicious Emails - 0 Malicious Emails Context- 0 Malicious Email Detections- 0 Pastebin - 4 Sinkhole Traffic - 0 ThreatRecon Records - 0

Uber Technologies, Inc.

Botnet Tracker - 0 Breach Data - 2134 Keylogger Records - 0 Malicious Emails - 0 Malicious Emails Context- 0 Malicious Email Detections- 0 Pastebin - 0 Sinkhole Traffic - 0 ThreatRecon Records - 1

Union Pacific Railroad

Botnet Tracker - 0 Breach Data - 2 Keylogger Records - 0 Malicious Emails - 0 Malicious Emails Context- 0 Malicious Email Detections- 0 Pastebin - 0 Sinkhole Traffic - 0 ThreatRecon Records - 0

United Airlines

Botnet Tracker - 0 Breach Data - 2 Keylogger Records - 0 Malicious Emails - 0 Malicious Emails Context- 0 Malicious Email Detections- 0 Pastebin - 0 Sinkhole Traffic - 0 ThreatRecon Records - 0

Wounded Warrior Project

Botnet Tracker - 0 Breach Data - 5548 Keylogger Records - 0 Malicious Emails - 0 Malicious Emails Context- 0 Malicious Email Detections- 0 Pastebin - 99 Sinkhole Traffic - 0 ThreatRecon Records - 0

Botnet_tracker

If your IP address is found in botnet tracker, it means that it was seen in a communication with a malicious endpoint. This does not automatically indicate a malware infection as there are a number of reasons why two IP addresses might communicate. The traffic should first be inspected before escalating to incident responders.

Keylogger

A keylogger hit means your domain or IP address appeared in a keylogger output file. This would mean one of the following things: 1) A keylogger malware is running on your network. 2) A username and password belonging to an employee was captured by a keylogger. 3) An email address was observed in clipboard data on an infected computer. For example somebody cut and paste an email address belonging to your organization. The raw source data must first be investigated to determine course of action.

Malicious Emails

If your domain or IP address shows up in this collection, it means it was observed in the header of an email that has been identified as malicious (1 or more AV detection). The raw email should be inspected to see whether it was sent to or from your organization, or if it was spoofed using your organizations data. It should be noted that some AV vendors classify emails as malicious when they are actually benign. All malicious emails hits only indicate targeting, not malware infections.

Pastebin

A pastebin hit simply means your information was observed in a paste on pastebin.com. There are numerous reasons information would be contained in a paste – some malicious and some benign. Each pastebin hit must be individually analyzed to determine context.

Sinkhole data

A sinkhole hit means your IP was observed in weblogs from our sinkhole server. Similar to the botnet_tracker hits, it only means that communication was observed. The nature of that communication needs to be determined from the raw sinkhole record. If the sinkhole hit is a result of a malware infection, then the information should be referred to incident responders.

Breach Data

Breach data hits are from public database leaks. Depending on the nature of the leaked database, exposed information may vary from just email addresses, to username and password combinations and other personally identifiable information. RedXray contains the raw breach data so you can easily see what type of data has been exposed. If the breach data contains passwords then Wapack Labs recommends enforcing a password reset and investigating whether there has been unauthorized access of the account.

Threat Recon

Threat recon consists of both primary sourced indicators and open sourced indicators from dozens of sources. Each hit from this collection should be individually analyzed as each source has different context. Threat recon records contain references to the original source.